GNU Guix users need to update now to stay safe

Multiple dangerous vulnerabilities have patches available now. Putting off updates risks both remote and local privilege escalation, plus DOS attacks.

Share
The Guix logo on a gradient background.

Developers of the GNU Guix package manager announced today that multiple security issues, including risk of remote privilege escalation, affect its guix substitute utility and others. Patches are available now through normal upgrade channels.

Happening now

The vulnerabilities, whose CVE IDs are pending at the time of writing, allow malicious code inserted into the code substitute system. Once the vulnerability has been taken advantage of, according to GNU Guix's announcement, an attacker can gain "remote privilege escalation to the build daemon user, remote store corruption, and potentially local disclosure of sensitive files accessible to the build daemon user."

GNU Guix (@guix@hachyderm.io)
⚠️ Guix security alert ⚠️ Critical security vulnerabilities in the guix daemon and substitute capabilities have been disclosed. ALL users should immediately update. https://guix.gnu.org/en/blog/2026/guix-substitute-pull-vulnerabilities/ #guix #security #update

If you attempt to download any binary substitute, remote privilege escalation can happen, allowing remote attackers to do damage. As the blog post reads:

The remote exploitation of guix substitute only requires that the vulnerable system attempt to download a binary substitute. Any configured substitute server, including ones discovered using guix-daemon's --discover option, can exploit this, and so can a man-in-the-middle (MITM), regardless of whether https is used in the substitute server urls.

An attacker with local access only needs to connect to guix-daemon's socket to start doing damage.

There's also a separate vulnerability in the guix pull and guix time-machine, where an attacker with control over the channels file can create or overwrite files wherever those commands are run. The developers wrote that a DOS attack is possible: "Due to limitations on the content of the created or overwritten file, this primarily represents a denial-of-service risk, though in theory it could do more."

How to stay safe

If you're running GNU Guix, you should upgrade guix and guix-dameon as soon as possible to protect your system from the vulnerabilities. However, one of the vulnerabilities can be exploited with the substitution process that upgrading involves. For that reason, GNU Guix's developers recommend considering passing the --no-substitutes flag when upgrading. How important and realistic that is, though, depends on your situation, so read the vulnerability report carefully before proceeding.

If you're running Guix System (the operating system rather than just the package manager), you can run this series of commands to upgrade and reboot the system:

guix pull
sudo guix system reconfigure /run/current-system/configuration.scm
sudo herd restart guix-daemon

If you're running the Guix package manager on another Linux distribution, you can protect yourself by upgrading and restarting the the service. For example, on a distro running systemd (the most common init service), you would run these two commands:

sudo --login guix pull
sudo systemctl restart guix-daemon.service

You can confirm you're at a protected state by checking that your version of guix is commit 897832f374dcdc9eeaf19d01e70b9a92fccfc68c or later.

Zooming out

Why this announcement matters: A remote privilege escalation means an attacker doesn't need to have physical access to the computer. That's a danger to anyone running GNU Guix while connected to the internet.

My take: I'm glad to see GNU Guix developers patching and alerting their userbase to vulnerabilities even before the official CVEs were published.

Diving in

Go further: You can read the full vulnerability announcement on GNU Guix's website for all the details.

New In Linux: Trustworthy open source news and resources

Jordan Gloor © .